Detection: Windows Findstr GPP Discovery

Description

The following analytic identifies the use of the findstr command employed to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL.

Annotations

No annotations available.

Implementation

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Known False Positives

Administrators may leverage findstr to find passwords in GPO to validate exposure. Filter as needed.

Associated Analytic Story

• Active Directory Privilege Escalation

Risk Based Analytics (RBA)

References

• https://attack.mitre.org/techniques/T1552/006/

• https://pentestlab.blog/2017/03/20/group-policy-preferences/

• https://adsecurity.org/?p=2288

• https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/

• https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30

Version: 4